On December 1, Wikileaks published 90 gigabytes of classified documents from the German parliamentary commission that investigates NSA spying and the cooperation between NSA and the German foreign intelligence service BND. The documents include 125 files from BND, 33 from the security service BfV and 72 from the information security agency BSI.It should be noted though that all documents are from the lowest classification level and lots of them are just formal letters, copies of press reports and duplications within e-mail threads. Nonetheless, the files also provide interesting new details, for example about the German classification system, BND’s internal structure, the way they handled the Snowden-revelations and the use of XKEYSCORE.

The German parliamentary investigation commission just before a hearing(photo: DPA)

About

Some background information was provided in an article from the newspaper Die Zeit, which says that only documents with the lowest classification level (VS NfD or RESTRICTED) are scanned and made available to the investigation commission on a government server. They are also available at the federal Chancellery.

Documents with a higher classification level are not digitalized and have to be read in a secure room (German: Geheimschutzstelle) in the parliament building. Most of the documents classified Top Secret can only be viewed at the Chancellery or the new Berlin headquarters of BND.

Classified documents provided to the investigation commission(still from the ARD documentary Schattenwelt BND)

Regarding the source of this leak, IT experts of the German parliament said that they found no indications of a hack. Der Spiegel suggests that the source might be a member of the parliamentary commission for foreign affairs or for the affairs of the European Union, because one document published by Wikileaks (meanwhile removed) was only available to members of those two commissions.

Wikileaks hasn’t redacted anything. Almost everything that is redacted is in blue, which is apparently the way BND is redacting its documents. Therefore, the files still contain all the internal organizational designators as well as the e-mail aliasses or addresses of many German government units and employees.

Internal BND e-mail from the EAD branch for the relationships with western countries &
cooperation partners, and the EADD unit for relationships with North America & Oceania(click to enlarge)

BND classifications

Documents from BND are classified according to the official German classification system, which has four levels, corresponding to those used in many other countries:

Besides these common classification levels, it was suspected that there would be at least one higher or more restrictive category to protect highly sensitive information. This has now been confirmed by various letters from the Wikileaks trove, which mention the following two classification markings:

The use of these markings is apparently a secret itself, because also members of the parliamentary commission puzzled about their exact meaning and usage. It seems though that these categories are rather similar to the US Classification System, which was explained here earlier.

The German marking ANRECHT apparently means that certain information is classified Secret or Top Secret, but that within that particular level, it’s only meant for those people who have a need-to-know (German: Anrecht), apparently especially when it comes to signals intelligence. In the United States this is realized through a range of different dissemination markings.

The marking SCHUTZWORT is also meant to restrict access, but in this case, the originator of a particular document determines a codeword (German: Schutzwort) which he provides only to those people who are allowed access to that document. This is similar to the system of Sensitive Compartmented Information (SCI) used in the US, where meanwhile several formerly secret codewords have been declassified.

A security manual from the German armed forces from 1988 also mentions special classification categories, like for example SCHUTZWORT and KRYPTO, the latter apparently for classified cryptographic information.

Letter from the Chancellery which was classified STRENG GEHEIM-ANRECHT,
which was marked as cancelled (UNGÜLTIG) after the attached
documents at that classification level were removed(click to enlarge)

BND organization

The files published by Wikileaks also contain a set of charts showing the organizational structure of BND between the year 2000 and 2014. There are some changes in the agency’s divisions, with a reorganization in 2009, as can be seen in the following charts:

BND organization chart, situation until 2009(click to enlarge)

BND organization chart, situation since 2009(click to enlarge)

A more detailed BND organization chart was among the Snowden documents and was published earlier by Der Spiegel.

Internal designators

The BND’s divisions, branches and units are designated by codes that consist of letters, written in capitals. In the current situation the main divisions have a two-letter designator which is more or less an abbreviation of their full name. The SIGINT division is for example TA, which stands for Technische Aufklärung.

From the e-mails published by Wikileaks we learn that lower units are designated by adding additional letters or words to the division designator. It seems that these addtional letters can be the first letter of a full name, a more or less random letter, or A for the first unit, B for the second unit, etc.

For example, „PLSA-HH-Recht-SI“ is the first branch (A) of PLS, which is the BND president’s staff. The term „Recht“ indicates that this is apparently a unit for legal issues. A simpler designator is „GLAAY“, which is a unit of the division GL (Gesamtlage)

By combining several documents related to XKEYSCORE, the following list of designators for BND’s field stations could be reconstructed:

The organization charts for BND’s structure since 2009 shows that there are four divisions for analysis and production, which is where analysts prepare intelligence reports:
– Two divisions are for topical missions: TE for international terrorism and organized crime, and TW for proliferation of weapon systems and ABC weapons.
– The other two divisions, LA and LB, are responsible for a geographical area. From their logos in the signature block in internal e-mails we learn that LB is responsible for Africa, the Middle East and Afghanistan, while LA has the rest of the world:

XKEYSCORE

According to Wikileaks, one of the more interesting documents from their release is one that allegedly proofs that „a BND employee will be tasked to use and write software for XKeyscore.“ However, the German tech website Golem says that this seems to be based on a text section that only refers to BND employee A.S. who helped install XKEYSCORE at the Berlin headquarters of the domestic security service BfV, which uses this system only for analysing terrorism-related data sets.

More interesting are several other documents about XKEYSCORE. For example In a list of answers prepared for the meeting of the parliamentary oversight commission on November 6, 2013 it is said that XKEYSCORE is used since 2007 in Bad Aibling and that this system is being tested since February 2013 at the satellite intercept stations Schöningen and Rheinhausen. It was planned to use XKEYSCORE on a regular basis at the latter two locations too.

An internal BND e-mail from November 5, 2013, explains that at Schöningen and Rheinhausen, XKEYSCORE is used for intercepting foreign satellite communications. The specific purpose for the system is determining which satellite links are most useful and subsequently checking whether the traffic contains the communications of people the BND is looking for (so-called survey):

Internal BND e-mail about the use of XKEYSCORE at BND’s satellite stations(source: Wikileaks, pdf-page 248 – click to enlarge)

This is a rather unexpected use of XKEYSCORE, because for NSA and GCHQ the strength of the system lies in its capability to reassemble internet packets, filter them and allow analysts to search buffered content. It is still not fully clear whether BND uses XKEYSCORE also in this way.

In November 2014, W.K. from BND’s SIGINT division testified that XKEYSCORE was used for decoding and demodulating IP traffic. Decoding for making things readable happens both online and on stored data, while (demodulating for) selecting the proper satellite links only happens on online data streams.

At Schöningen and Rheinhausen XKEYSCORE was only used for the latter purposes, in the pre-analysis stage. This also came forward from some testimonies before the investigation commission. For example E.B., head of the Schöningen station, said that XKEYSCORE was only used for looking at a few days of satellite traffic to determine which communication links where in it.

An earlier presentation about satellite interception at Menwith Hill Station in the UK shows that NSA and GCHQ have other systems, like DARKQUEST, for surveying satellite links, after which XKEYSCORE is used for processing and analysing the data.

IBM servers

The Wikileaks files also contain an internal BND order form from February 25, 2014, used for ordering six servers for field station 3D20: two IBM X3650 M4 and four IBM X3550 M4 servers, with a total cost of 58.000,- euros. A separate text explains that these servers were needed for both PDBD and XKEYSCORE:

– PDBD was the new centralized BND tasking database, which would replace the proprietary tasking databases used at the various field stations.

– XKEYSCORE is described as a system that decodes packet-switched telecommunicatiosn traffic like e-mail, messenger, chat, geolocation information, etc. and is used for analysing telecommuncations traffic. At BND the system was needed because it became increasingly difficult to extract relevant information from the ever growing amount of data. The servers were needed to move XKEYSCORE from test to operational status.

Internal BND order form for several IBM servers to be used for XKEYSCORE and PBDB(source: Wikileaks, pdf-page 72 – click to enlarge)

PRISM

A large file from the commission documents is about the reaction on the revelation of PRISM. In August 2013, members of the Bundestag asked so many questions about this NSA program, that one BND employee complained that it was unreasonable to expect that his agency could provide all the answers.

At that time, many details about PRISM weren’t clear yet and statements from the US government and from internet companies seemed to contradict eachother. Among the documents that BND forwarded to the parliamentary commission was also one report from July 2013, which summarizes what was known about PRISM at that time.

This report was made by people from unit ÖS I 3 of the Public Safety division of the German Interior Ministry (BMI). After summarizing what was known from the press reports, the report also describes a second tool that is named PRISM – based upon an earlier article on this weblog:

Summary of a second PRISM program as described on this weblog(source: Wikileaks, pdf-page 104 – click to enlarge)

Shortly after the existance of PRISM was revealed early June 2013, much was unclear, so I did some open source research and found that the US military uses a program named PRISM, which in this case is an acronym for „Planning tool for Resource Integration, Synchronization and Management“.

Shortly afterwards, in July 2013, German press published an NSA letter saying that there are actually three different programs with the name PRISM: one that collects data from the big internet companies, one that is used as a military tasking and planning tool, and finally one that is used for internal data sharing in NSA’s Information Assurance Directorate (IAD).

BOUNDLESSINFORMANT

On July 29, 2013, the German magazine Der Spiegel published a chart from the NSA tool BOUNDLESSINFORMANT. The chart was related to Germany and it was thought that it showed that NSA had intercepted over 550 million pieces of communications traffic.

But within just a few days, BND contacted Der Spiegel, saying that they collected those data, and shared them with NSA. The SIGADs US-987LA and US-987LB designated collection at the BND satellite station in Bad Aibling and (wireless) interception of phone calls in Afghanistan, respectively. This was confirmed by NSA and published by Der Spiegel on August 5, 2013.

BOUNDLESSINFORMANT screenshot showing metadata related to Germany
as being published by Der Spiegel on July 29, 2013(click to enlarge)

An e-mail published by Wikileaks shows that meanwhile, M.J. from unit 3D3D of the Bad Aibling station was comparing the numbers from the BOUNDLESSINFORMANT chart with those from his logfiles and Nagios Checks. In the e-mail, from August 12, 2013 to his boss R.U., he concluded that at the beginning of the month there was a relatively clear similarity with the chart from Der Spiegel:

The chart that seems to be prepared by BND employee M.J. to compare
with the one from BOUNDLESSINFORMANT (note the different scale)(click to enlarge)

It should be noted that BND didn’t count the numbers of metadata they provided to NSA, they did so only for content, so the numbers from M.J.’s chart may not be fully accurate. Even more puzzling is a table that was also with the e-mail from M.J. and contains the daily numbers for the metadata during this period:

The chart that seems to be prepared by BND employee M.J. to compare
with the one from BOUNDLESSINFORMANT (note the different scale)(click to enlarge)

The strange thing here is that on the right side, the table has daily numbers broken down for several processing systems – strange because the chart from Der Spiegel only provided aggregated numbers, and because three codenames weren’t seen in the published BOUNDLESSINFORMANT charts: POPTOP, CRON and SNOWHAZE. Did NSA provide these more detailed numbers so BND could compare them?

Index

Finally, a list of some of the most interesting files found so far (would have been useful when Wikileaks provided this kind of index though):